b'              U.S. Department of Energy\n              Office of Inspector General\n              Office of Audit Services\n\n\n\n\nAudit Report\nSafeguards Over Sensitive Technology\n\n\n\n\nDOE/IG-0635                                 January 2004\n\x0c\x0c\x0c\x0cSAFEGUARDS OVER SENSITIVE TECHNOLOGY\n\n\nTABLE OF\nCONTENTS\n\n\n\n               Program Results and Cost\n\n\n               Details of Finding ....................................................................... 1\n\n               Recommendations and Comments ........................................... 6\n\n\n               Appendices\n\n               Prior Reports .............................................................................. 9\n\n               Objective, Scope, and Methodology ........................................ 11\n\n               Management Comments .......................................................... 12\n\x0cPROGRAM RESULTS AND COSTS\n\nBackground     Aspects of sensitive technology protection, along with related impacts on\n               national security, have been addressed in various formats by the\n               Department of Energy and several other Federal agencies. For example:\n\n                  \xe2\x80\xa2   The Departments of Energy, Defense, and Commerce each\n                      maintain lists of technologies they deem sensitive.\n\n                  \xe2\x80\xa2   The Department of Energy (Department) has designated certain\n                      countries as sensitive for reasons of national security,\n                      nonproliferation, antiterrorism, or economic security. As applied\n                      to other nations, the term "sensitive" requires that Department and\n                      Laboratory personnel exercise caution when interacting with the\n                      citizens of the designated countries.\n\n                  \xe2\x80\xa2   The Department has also issued policy and requirements (DOE\n                      Order and Notice 142.1) on unclassified foreign visits and\n                      assignments which state that sensitive technology is not to be\n                      accessed by foreign nationals, including permanent resident aliens,\n                      without proper authorization.\n\n                  \xe2\x80\xa2   The Departments of State, Commerce, and Treasury regularly\n                      publish and update lists of individuals and companies that have\n                      been prohibited from conducting business with the Federal\n                      government. In some cases, the prohibitions were put into place\n                      because the individuals or countries were deemed to represent a\n                      threat to the United States.\n\n                  \xe2\x80\xa2   In August 2002, the Department promulgated a counterintelligence\n                      procedure that called for local counterintelligence officers to\n                      partner with local technology partnership offices to conduct\n                      reviews of Cooperative Research and Development Agreements\n                      (CRADA) to determine if they involve sensitive or classified\n                      information. This was the result of a July 1998 study, "Mapping\n                      the Future of the Department of Energy Counter- intelligence\n                      Program," which found that there was very little scrutiny in this\n                      area and that the Department was vulnerable with respect to the\n                      activities under these agreements.\n\n\n\n\nPage 1                                                                Details of Finding\n\x0cControls   Despite the aforementioned initiatives, our review of about 200\n           CRADA and Work for Others (WFO) agreements at Sandia, Los\n           Alamos, and Oak Ridge National Laboratories disclosed that the\n           laboratories did not consistently control access to sensitive\n           technologies. For example:\n\n              \xe2\x80\xa2   Los Alamos assigned foreign nationals to two projects, which\n                  we determined could involve sensitive technologies, without\n                  any indication that proper authorization had been granted. In\n                  one case, Los Alamos assigned a Chinese national to a CRADA\n                  involving biological sensors. The Chinese national was later\n                  replaced with a Russian national. Both China and Russia are on\n                  the Department\'s list of sensitive countries. In the other\n                  instance, Los Alamos assigned a Chinese national to a project\n                  involving nanotechnology.\n\n                  Management, in response to a draft of the report, stated that the\n                  technologies were screened against State and Commerce\n                  Department regulations, and were not sensitive. However, there\n                  was no evidence that the Laboratory considered other sensitive\n                  technology lists referenced in the Department\xe2\x80\x99s export control\n                  guidance. Both technologies were on Department of Defense\n                  sensitive subject lists, and were also identified in the Wassenaar\n                  Arrangement, an international agreement to prevent the\n                  proliferation of sensitive technology, to which the United States\n                  is a signatory. In addition, the biological sensor CRADA file\n                  indicated that the research being performed directly contributed\n                  to the Laboratory\'s "strategic objectives in threat reduction and\n                  strategic research," which includes preventing the proliferation\n                  of chemical and biological weapons by providing early warning\n                  tools to intelligence services. As such, the development of\n                  biological sensors could be considered a sensitive technology\n                  requiring special attention.\n\n                  Management further stated that two of the three individuals\n                  assigned to the projects were permanent resident aliens, the third\n                  was naturalized prior to being assigned, and all were vetted\n                  according to existing requirements. Nevertheless, project files\n                  did not include documentation to support management\'s\n                  assertion. For example, the project file relating to the\n                  nanotechnology CRADA identified the assignee as a foreign\n                  national. However, while the Laboratory stated he was a U.S.\n                  citizen, no proof of U.S. citizenship was provided.\n\n\n\n\nPage 2                                                           Details of Finding\n\x0c         \xe2\x80\xa2   Similarly, Oak Ridge assigned foreign nationals to five\n             agreements, which we determined could involve sensitive\n             technologies, without evidence of proper authorization. In one\n             case, an Indian national (India is also on the Department\'s\n             sensitive country list) was assigned to research involving\n             advanced manufacturing processes. Oak Ridge did not consider\n             the research to be sensitive because it was not specifically\n             referenced in the Export Administration Regulations. We noted,\n             however, that while neither the Department of Commerce nor\n             the Department\'s Sensitive Subject List is all-inclusive, each list\n             makes reference to lists maintained by other agencies. We\n             found that advanced manufacturing processes were included on\n             the Department of Defense Militarily Critical Technologies List.\n\n         \xe2\x80\xa2   In six cases, Sandia made incorrect determinations regarding\n             foreign involvement. For example, Sandia determined that an\n             agreement did not involve foreign or foreign-funded partners,\n             yet the agreement file indicated that the partner was a university\n             that would be providing the results of the CRADA to foreign\n             officials. We found a similar incorrect determination at Los\n             Alamos.\n\n         \xe2\x80\xa2   At Sandia, security documents for classified agreements were\n             not submitted to the Department or were not approved by the\n             Department in a timely manner. Our sample contained six\n             classified agreements, each of which required Contract Security\n             Classification Forms. These forms identify the level of security\n             to apply to the work being conducted. Two of the classified\n             agreements, including one that was Top Secret, never had the\n             classification forms submitted. In the remaining four\n             agreements, the Department took an average of 583 days after\n             the start of the agreement to approve the classification form.\n\n         \xe2\x80\xa2   None of the 198 agreement files at any of the laboratories had\n             any indication that the names of CRADA and WFO partners\n             were compared against prohibited party lists, even though the\n             laboratories were aware that such lists existed and were aware\n             that they were prohibited from doing business with certain\n             companies, individuals, and countries. Sandia had an automated\n             system designed to compare partner names against the\n             prohibited parties lists, but it was not used.\n\n\n\nPage 3                                                      Details of Finding\n\x0c                           \xe2\x80\xa2   Departmental counterintelligence policy called for reviews of\n                               CRADA agreements, but these reviews were not consistently\n                               completed. Oak Ridge was performing the required reviews.\n                               However, Sandia counterintelligence officials stated that they\n                               had not conducted any of the reviews, while Los Alamos\n                               relied on technology partnership and classification\n                               personnel \xe2\x80\x93 not counterintelligence officials \xe2\x80\x93 to identify any\n                               CRADA-related counterintelligence issues.\n\nDepartment Procedures   The Department and other agencies have issued a variety of controls\n                        (lists, descriptions, and policy statements) that had a bearing on the\n                        protection of sensitive technologies. However, the laboratories did\n                        not consistently apply the controls as they related to:\n\n                           \xe2\x80\xa2   Sensitive technology lists that should be consulted;\n\n                           \xe2\x80\xa2   The manner in which authorizations for persons from\n                               sensitive countries to work on CRADAs or WFO projects\n                               should be obtained and documented;\n\n                           \xe2\x80\xa2   Determinations regarding foreign involvement;\n\n                           \xe2\x80\xa2   Approval of security classification forms prior to entering\n                               into agreements; and,\n\n                           \xe2\x80\xa2   Counterintelligence reviews of CRADAs.\n\n                        In addition, guidance, as it related to assignments of foreign\n                        nationals, was unclear. Department Notice 142.1 prohibits foreign\n                        nationals, including permanent resident aliens, from working on\n                        sensitive technology without prior authorization. At the same time,\n                        the Department\'s export control guidance treats permanent resident\n                        aliens as U.S. citizens. Laboratory officials indicated that there was\n                        confusion between these two documents. Notice 142.1 is now being\n                        incorporated into Draft Order 142.X Unclassified Foreign Visits and\n                        Assignments Program, which will define foreign nationals as\n                        individuals born outside the United States that have not been\n                        naturalized. The draft order further states that sensitive technologies\n                        require special management oversight before they can be released to\n                        foreign nationals.\n\n\n\n\nPage 4                                                                     Details of Finding\n\x0c         The Office of Inspector General previously reported on the lack of clear\n         guidance regarding foreign national visits and assignments. Our report,\n         Inspection of the Department of Energy\'s Export License Process for\n         Foreign National Visits and Assignments (DOE/IG-0465, March 2000),\n         identified a lack of clarity in the Department\'s guidance. In December\n         2002, we reported that two national laboratories had not adequately\n         controlled unclassified visits and assignments by foreign nationals (The\n         Department\'s Unclassified Foreign Visits and Assignments Program,\n         DOE/IG-0579). In response to the latter report, management agreed to\n         update and clarify the Department\xe2\x80\x99s foreign visit and assignment\n         policy. As of December 2003, the policy had not been finalized.\n\n         Department officials also expressed the view that, in some cases, the\n         laboratories had resisted efforts to emphasize the importance of\n         safeguarding sensitive technology. As an example, a commission\n         chartered by the Secretary of Energy found, in June 2002, that the\n         relationship between the Department\'s scientists and counterintelligence\n         communities was "broken and in need of repair." The commission\n         recommended strengthening this relationship. Despite the\n         recommendations from both Congress and the Department,\n         Headquarters officials stated that the laboratories continued to resist\n         these efforts. Further, while performance measures established for the\n         laboratories called for promoting the use of partnership agreements,\n         such as CRADAs, they did not address the safeguarding of sensitive\n         technology.\n\n         In addition, we found that the training provided to Laboratory personnel\n         did not adequately address sensitive technology and economic\n         espionage. We interviewed 30 laboratory principal investigators and\n         found that 25 had received some type of export control-related training.\n         However, the course material did not fully discuss the existence of\n         prohibited parties lists, the seriousness of the economic espionage\n         threat, or the methods used to acquire U.S. sensitive technologies.\n\nRisks    Without consistent implementation of controls, the Department\n         increases the risk that its most sensitive technologies could be obtained\n         by or diverted to groups or countries hostile to the U.S. Because such\n         technologies have, by definition, the potential to enhance weapons of\n         mass destruction, their uncontrolled dissemination represents a potential\n         threat to our nation\'s security.\n\n\n\n\nPage 5                                                       Details of Finding\n\x0c                  A recent report prepared by the Department of Defense illustrates the\n                  importance of strong controls over sensitive technology. The report\n                  noted that students from a sensitive country attending U.S. universities\n                  obtained technology from a Department laboratory that allowed their\n                  country to produce a metal used in sensors and weapons. The report\n                  also noted that, in 1991, China published a science and technology\n                  collection manual that called on using open sources to acquire\n                  technology for China\'s defense program. Examples of open sources\n                  include joint ventures, CRADAs, foreign students, and scientific\n                  exchanges.\n\n                  Such concerns are even more serious when controls over technologies\n                  that involve classified material are not observed, as was the case in six\n                  classified agreements we reviewed. In one of these cases, classification\n                  forms were not approved until about a year after the work on the\n                  agreement was completed. In the second case the classification form\n                  was completed eighteen days before the work was completed. As a\n                  result, any assurance the Department might have had that classified\n                  material associated with these projects was properly safeguarded was\n                  significantly reduced.\n\n\nRECOMMENDATIONS   1. We recommend that the Deputy Administrator for Defense\n                     Programs, and the Director, Office of Science, in consultation with\n                     their respective counterintelligence offices and other appropriate\n                     staff offices:\n\n                     a) Ensure consistent implementation of procedures to safeguard\n                        CRADA and WFO activities involving foreign nationals and\n                        sensitive technology; and,\n\n                     b) Ensure consistent implementation of counterintelligence policies\n                        related to CRADA activities.\n\n                  2. We recommend that the Director, Office of Security, and the Chief,\n                     Defense Nuclear Security, establish a consistent policy regarding\n                     the assignment of foreign nationals to CRADAs and WFO\n                     agreements.\n\n                  3. We recommend that the NNSA Site Office Managers, and the\n                     Office of Science Operations Office Managers:\n\n                     a) Ensure that Security Classification Forms are reviewed and\n                        approved before an agreement is signed; and,\n\nPage 6                                             Recommendations and Comments\n\x0c                  b) Ensure that adequate training is provided to principal\n                     investigators and technology partnership personnel regarding\n                     the economic espionage threat and the importance of protecting\n                     sensitive technology.\n\n             4.   We recommend that the Deputy Administrator for Defense\n                  Programs and the Director, Office of Science establish\n                  performance measures to ensure that controls over sensitive\n                  technology are effectively implemented.\n\n\nMANAGEMENT   NNSA, commenting on behalf of the Offices of Science and Security\nREACTION     and NNSA staff and field elements, generally agreed with the\n             recommendations, but disagreed that the Department, as a whole, had\n             not adequately controlled access to sensitive technologies.\n\n             NNSA stated that the differences in CRADA handling procedures at the\n             various laboratories were not due to differences between the Office of\n             Counterintelligence and NNSA\xe2\x80\x99s Office of Defense Nuclear\n             Counterintelligence, nor were they due to subsequent promulgation of\n             the policy.\n\n             Management also stated that, in no case, were laboratory employees\n             inappropriately assigned to the projects cited in the report. The\n             laboratory employees assigned to the projects were vetted against all\n             existing regulations. Specifically, the Commerce and State Department\n             regulations designate Permanent Resident Aliens as \xe2\x80\x9cU.S. Persons\xe2\x80\x9d \xe2\x80\x93\n             equivalent, for these purposes, to citizens. The projects were also\n             screened against Commerce and State Department regulations and were\n             determined not to be sensitive. Management asserted that when the\n             technology, such as those items cited in the report, is under the\n             jurisdiction of the Department of Commerce, other sensitive lists do not\n             apply.\n\n             NNSA acknowledged that controls over technologies involving\n             classified materials must be more stringently applied and, in separate\n             comments, the Director, Office of Counterintelligence stated that\n             Departmental directives addressing the establishment of CRADAs/\n             WFOs by technology offices should include a requirement that the\n             technology office must solicit a local counterintelligence and security\n             review and input to any CRADA/WFO initiative.\n\n\n\n\nPage 7                                        Recommendations and Comments\n\x0cAUDITOR COMMENTS   Regarding differences in CRADA handling procedures at each\n                   laboratory, the Office of Inspector General agrees that the issue is not\n                   one of varying policy between the Office of Intelligence and NNSA\xe2\x80\x99s\n                   Office of Defense Nuclear Counterintelligence. Rather, as shown in the\n                   report, implementation of the policy differed from site to site.\n\n                   Further, we agree that in several of the examples we cited, the\n                   laboratories performed and documented some reviews of foreign\n                   involvement, comparisons to lists of sensitive technologies, and other\n                   similar procedures. As noted in the report, however, the laboratories\n                   did not always take advantage of readily available information that\n                   could have made efforts to screen sensitive technologies more robust.\n                   For example, although projects were vetted in accordance with State\n                   and Commerce Department regulations, additional sensitive technology\n                   lists could have been consulted, a precaution suggested in Department\n                   of Energy guidance. In particular, the Office of Inspector General\n                   noted cases where lists maintained by the Department of Defense\n                   included some of the technologies the laboratories did not consider\n                   sensitive.\n\n                   Finally, regarding the assignment of Permanent Resident Aliens to the\n                   projects cited in the report, the Office of Inspector General understands\n                   that there is an apparent conflict between Department Notice 142.1 and\n                   Commerce\xe2\x80\x99s Export Control guidance. The Department Notice states\n                   that foreign nationals, including Permanent Resident Aliens, are\n                   prohibited from working on sensitive technologies without prior\n                   authorization. As such, obtaining that authorization \xe2\x80\x93 whether required\n                   by export control regulations or not \xe2\x80\x93 is, in our judgment, prudent.\n\n                   Where appropriate, alterations were made to the report to address issues\n                   raised by management in their comments. Management\xe2\x80\x99s comments\n                   are included in their entirety as Appendix 3.\n\n\n\n\nPage 8                                              Recommendations and Comments\n\x0cAppendix 1\n\n                                            PRIOR REPORTS\n\n  Office of Inspector General Reports\n\n     \xe2\x80\xa2   The Department\'s Unclassified Foreign Visits and Assignments Program (DOE/IG-0579,\n         December 2002). The report found that the Department had not adequately controlled\n         unclassified visits and assignments by foreign nationals at two national laboratories.\n         Specifically, one managed by the Office of Science and one by NNSA, had not ensured that all\n         foreign nationals had current passports and visas.\n\n     \xe2\x80\xa2   Inspection of Selected Aspects of The Department of Energy\'s Classified Document\n         Transmittal Process (DOE/IG-0488, November 2000). The report found that the Department\'s\n         laboratories did not always adhere to the Department\'s Safeguards and Security polices and\n         procedures for the transmittal of classified documents.\n\n     \xe2\x80\xa2   Inspection of the Department of Energy\'s Export License Process for Foreign National Visits\n         and Assignments (DOE/IG-0465, March 2000). The report found that the Department\xe2\x80\x99s\n         process for determining whether an export license was needed for a foreign visit or assignment\n         to a Department site needed improvement. Specifically, clear guidance on the roles,\n         responsibilities and requirements for export licenses was not provided and the Department was\n         not aware of the precise number of foreign visitors at each of the national laboratories.\n\n     \xe2\x80\xa2   Inspection of the Sale of a Paragon Supercomputer by Sandia National Laboratories (DOE/\n         IG-0455, December 1999). The report found that Sandia failed to follow export control\n         regulations related to selling the Paragon computer. Further, Sandia was not sufficiently\n         sensitive to potential national security issues associated with the sale of the supercomputer,\n         especially after learning of plans the purchaser had of selling parts of the computer to the\n         People\'s Republic of China.\n\n     \xe2\x80\xa2   The Department of Energy\'s Export Licensing Process For Dual-Use and Munitions\n         Commodities (DOE/IG-0445, May 1999). The report found that guidance was not clear\n         regarding when a deemed export license would be required for an assignment involving a\n         foreign national. Problems were also found with the process for reviewing assignments of\n         foreign nationals when export control concerns were involved.\n\n  Other Reports\n\n     \xe2\x80\xa2   Department of Energy: Key Factors Underlying Security Problems at DOE Facilities, (GAO/\n         T-RCED-99-159, April 1999). The testimony stated that: (1) the Department had ineffective\n         controls over foreign visitors to its most sensitive facilities; (2) counterintelligence programs to\n         guard against foreign and industrial espionage activities received little priority and attention;\n         and (3) there were weaknesses in controls to protect classified and sensitive information.\n\n\n\nPage 9                                                                                         Prior Reports\n\x0cAppendix 1 (continued)\n\n     \xe2\x80\xa2    Economic Espionage: Information on Threat from U.S. Allies, (AO/T-NSIAD-96-114,\n          February 1996). The testimony stated that some close U.S. allies actively seek to obtain\n          classified and technical information from the United States through unauthorized means.\n          Intelligence agencies have determined that foreign intelligence activities directed at U.S.\n          critical technologies pose a significant threat to national security.\n\n     \xe2\x80\xa2    Nuclear Nonproliferation: DOE Needs Better Controls to Identify Contractors Having\n          Foreign Interest, (GAO/RCED-91-83, March 1991). The report found that overall neither the\n          Department nor its weapons laboratories (Lawrence Livermore, Los Alamos, and Sandia\n          National Laboratories) fully complied with Departmental regulations and procedures for\n          determining whether contractors are subject to foreign interest and preventing associated risks.\n          GAO estimated that about 98 percent of the classified contracts awarded at the weapons\n          laboratories from October 1987 to March 1990 that were subject to Foreign Ownership Control\n          and Interest procedures did not fully comply with those procedures.\n\n\n\n\nPage 10                                                                                       Prior Reports\n\x0cAppendix 2\n\nOBJECTIVE     The objective of this audit was to determine whether sensitive\n              technologies were being adequately protected.\n\n\nSCOPE         The audit was performed between January 2003 and July 2003 at\n              Headquarters NNSA, the NNSA Service Center in Albuquerque, New\n              Mexico; Sandia National Laboratories (Sandia); Los Alamos National\n              Laboratory (Los Alamos); and Oak Ridge National Laboratory (Oak\n              Ridge). The audit examined FY 2001 and 2002 active CRADA and\n              WFO agreements involving sensitive technologies.\n\n\nMETHODOLOGY   To accomplish the audit objective, we:\n\n                 \xe2\x80\xa2   Reviewed applicable public laws, department orders, other\n                     departmental guidance, related correspondence, and contracts;\n\n                 \xe2\x80\xa2   Reviewed prior Office of Inspector General and General\n                     Accounting Office reports;\n\n                 \xe2\x80\xa2   Reviewed compliance with the Government Performance and\n                     Results Act of 1993;\n\n                 \xe2\x80\xa2   Reviewed 198 active FY 2001 and 2002 CRADA and WFO\n                     agreements at Sandia, Los Alamos, and Oak Ridge;\n\n                 \xe2\x80\xa2   Interviewed key Headquarters, Field, and Laboratory personnel;\n                     and,\n\n                 \xe2\x80\xa2   Reviewed contents of applicable training courses.\n\n              The audit was conducted in accordance with generally accepted\n              Government auditing standards for performance audits and included\n              tests of internal controls and compliance with laws and regulations to\n              the extent necessary to satisfy the objective of the audit. Accordingly,\n              we assessed the significant internal controls and performance measures\n              established under The Government Performance and Results Act of\n              1993 and found that performance measures did not address the need for\n              safeguarding sensitive technology in the technology transfer program.\n              Because our review was limited, it would not necessarily have disclosed\n              all internal control deficiencies that may have existed at the time of our\n              audit. Computer processed data was not relied upon extensively in the\n              conduct of this audit. We discussed the findings with the Director,\n              Policy and Internal Controls Management on December 10, 2003.\n\nPage 11                                       Objective, Scope, and Methodology\n\x0c\x0c\x0c\x0c\x0cAppendix 3 (continued)\n\n\n\n\nPage 16                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 17                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 18                  Management Comments\n\x0c                                                                              IG Report No.: DOE/IG-0635\n\n                                    CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its products. We\nwish to make our reports as responsive as possible to our customers\' requirements, and, therefore, ask that\nyou consider sharing your thoughts with us. On the back of this form, you may suggest improvements to\nenhance the effectiveness of future reports. Please include answers to the following questions if they are\napplicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or procedures of the\n   audit would have been helpful to the reader in understanding this report?\n\n2. What additional information related to findings and recommendations could have been included in this\n   report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall message more\n   clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues discussed in this\n   report which would have been helpful?\n\nPlease include your name and telephone number so that we may contact you should we have any questions\nabout your comments.\n\nName _____________________________             Date __________________________\n\nTelephone _________________________            Organization ____________________\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at (202) 586-\n0948, or you may mail it to:\n\n                                     Office of Inspector General (IG-1)\n                                           Department of Energy\n                                          Washington, DC 20585\n\n                                        ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of Inspector General,\nplease contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                            following address:\n\n\n                  U.S. Department of Energy, Office of Inspector General, Home Page\n                                       http://www.ig.doe.gov\n\n                    Your comments would be appreciated and can be provided on the\n                           Customer Response Form attached to the report.\n\x0c'